1 // Copyright 2016 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef BSSL_PKI_TRUST_STORE_IN_MEMORY_H_ 6 #define BSSL_PKI_TRUST_STORE_IN_MEMORY_H_ 7 8 #include "fillins/openssl_util.h" 9 #include <unordered_map> 10 11 12 #include "trust_store.h" 13 14 namespace bssl { 15 16 // A very simple implementation of a TrustStore, which contains a set of 17 // certificates and their trustedness. 18 class OPENSSL_EXPORT TrustStoreInMemory : public TrustStore { 19 public: 20 TrustStoreInMemory(); 21 22 TrustStoreInMemory(const TrustStoreInMemory&) = delete; 23 TrustStoreInMemory& operator=(const TrustStoreInMemory&) = delete; 24 25 ~TrustStoreInMemory() override; 26 27 // Returns whether the TrustStore is in the initial empty state. 28 bool IsEmpty() const; 29 30 // Empties the trust store, resetting it to original state. 31 void Clear(); 32 33 // Adds a certificate with the specified trust settings. Both trusted and 34 // distrusted certificates require a full DER match. 35 void AddCertificate(std::shared_ptr<const ParsedCertificate> cert, 36 const CertificateTrust& trust); 37 38 // Adds a certificate as a trust anchor (only the SPKI and subject will be 39 // used during verification). 40 void AddTrustAnchor(std::shared_ptr<const ParsedCertificate> cert); 41 42 // Adds a certificate as a trust anchor which will have expiration enforced. 43 // See VerifyCertificateChain for details. 44 void AddTrustAnchorWithExpiration( 45 std::shared_ptr<const ParsedCertificate> cert); 46 47 // Adds a certificate as a trust anchor and extracts anchor constraints from 48 // the certificate. See VerifyCertificateChain for details. 49 void AddTrustAnchorWithConstraints( 50 std::shared_ptr<const ParsedCertificate> cert); 51 52 // TODO(eroman): This is marked "ForTest" as the current implementation 53 // requires an exact match on the certificate DER (a wider match by say 54 // issuer/serial is probably what we would want for a real implementation). 55 void AddDistrustedCertificateForTest( 56 std::shared_ptr<const ParsedCertificate> cert); 57 58 // Adds a certificate to the store, that is neither trusted nor untrusted. 59 void AddCertificateWithUnspecifiedTrust( 60 std::shared_ptr<const ParsedCertificate> cert); 61 62 // TrustStore implementation: 63 void SyncGetIssuersOf(const ParsedCertificate* cert, 64 ParsedCertificateList* issuers) override; 65 CertificateTrust GetTrust(const ParsedCertificate* cert) override; 66 67 // Returns true if the trust store contains the given ParsedCertificate 68 // (matches by DER). 69 bool Contains(const ParsedCertificate* cert) const; 70 71 private: 72 struct Entry { 73 Entry(); 74 Entry(const Entry& other); 75 ~Entry(); 76 77 std::shared_ptr<const ParsedCertificate> cert; 78 CertificateTrust trust; 79 }; 80 81 // Multimap from normalized subject -> Entry. 82 std::unordered_multimap<std::string_view, Entry> entries_; 83 84 // Returns the `Entry` matching `cert`, or `nullptr` if not in the trust 85 // store. 86 const Entry* GetEntry(const ParsedCertificate* cert) const; 87 }; 88 89 } // namespace net 90 91 #endif // BSSL_PKI_TRUST_STORE_IN_MEMORY_H_ 92